Targeted junkmail "from" your GP?

Peter Fairbrother ukcrypto at chiark.greenend.org.uk
Mon, 30 Jun 2008 01:59:00 +0100 

Ben Laurie wrote:
> Wendy M. Grossman wrote:
>> Roland Perry wrote:
>>
>>> I have no idea what they are proposing to do, but in principle it 
>>> would be relatively straightforward for them to have anonymised 
>>> patient records, and then send a message back to the NHS saying 
>>> "please forward the following invitation to patient number XYZ", 
>>> where only the NHS/PCT etc knows that patient's name or address. They 
>>> could even send the invite to the patient's GP, who could then call 
>>> the patient in to discuss the issue.
>>
>> Research indicates that re-identifying supposedly anonymized records 
>> is not all that difficult.
> 
> That's a rather broad generalisation. What research shows is that you 
> have to be very careful when you anonymise records - merely removing the 
> name and address _may_ not be sufficient.
> 

This is a matter of opinion, but I'd go with Wendy.

If you provide researchers with some anonymised data, you don't know 
what other data-sets they may have access to.

If the anonymised data provided contains sensitive information - eg HIV 
status - then it is irresponsible to provide any large dataset, with 
more than a very few pieces of information about each "anonymised" 
individual.

To see why, there are about 7 x 10^7 people in the UK. If one piece of 
information in the individual's file applies to maybe one person in 70, 
eg age, then there are 10^6 possible people who could be the person 
involved.

Now add in the area they live in, say 50.000 people live there, and you 
are talking about 710 "suspects".

Sex? 355 "suspects".

Weight? Say 35 "suspects", depending on accuracy.

Occupation? Down to less than one.

Now the person you give the data to may not have access to those details 
as they apply to the populace at large - but he may.

On the other hand, he may not even need them, as if there is no 
17-year-old female hairdresser who weighs 250 lbs in that area is enough 
for him to conclude that she doesn't have HIV (that's a JOKE).

Conversely, if there is such a person, he can probably conclude that she 
does have HIV or is likely to, and may find out by eg teasing that person.


So just removing name and address is not likely to be sufficient.

EVER.



-- Peter Fairbrother